• No results found

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

Applicable to – All the versions of Windows

This article describes how to implement Clientless single sign on authentication with Active Directory integration.

Cyberoam – ADS integration feature allows Cyberoam to map the users and groups from Active Directory for the purpose of authentication.

Prerequisites:

 NetBIOS Domain name

 FQDN Domain name

 Search DN

 Active Directory Server IP address

 Administrator Username and Password (Active Directory Domain)

 IP address of Cyberoam Interface connected to Active Directory server

 Import AD groups

 Configure Clientless SSO

Configuring ADS authentication

Logon to Cyberoam Web Admin Console and follow the below given steps:

Step 1: Create ADS user groups.

Please check Cyberoam version before you continue as this is version specific step.

All Versions below 9.5.3 build 14

Go to Group> Add Group and create all the ADS user groups

For mapping the ADS user groups with the Cyberoam user groups, create all the ADS user groups into Cyberoam before ADS users log on to Cyberoam for the first time. If the ADS groups are not created in Cyberoam, all the users will be assigned to the Default group of Cyberoam.

If all the ADS user groups are created in Cyberoam before users log on to Cyberoam then user will be automatically created in the respective group when they log on to Cyberoam.

Authentication in Single Active Directory Domain

Controller Environment

(2)

2

Step 3: Configure Cyberoam to use Active Directory

Click Add to configure Active Directory parameters Specify IP address of Active Directory

Specify TCP/IP port number in Port field. It is the port on which ADS server listens for the

authentication requests. On Cyberoam appliance, the default port for ADS traffic is 389. If your AD server is using another port, specify port number in Port field.

(3)

Specify NetBIOS Domain name. If you do not know NetBIOS name, refer to section „Determine NetBIOS Name, FQDN and Search DN‟.

Specify Active Directory Administrator Username and password

Cyberoam allows implementing AD integration in two ways:

 Tight Integration – With tight integration, Cyberoam synchronizes groups with AD every time the user tries to logon. Hence, even if the group of a user is changed in Cyberoam, on subsequent log in attempt, user logs on as the member of the same group as configured in Active Directory. In this case group membership of each user is as defined in the Active Directory.

 Loose Integration – With loose integration, Cyberoam does the Group management and does not synchronize groups with AD when user tries to logon. By default, users will be the member of Cyberoam default group irrespective of Active Directory group, administrator can change the group membership. Cyberoam will use authentication attribute for authenticating users with Active Directory.

Click “Test Connection” to check whether Cyberoam is able to connect to the Active Directory or not. If Cyberoam is able to connect to the Active Directory, click Add to save the configuration.

Step 4: Add Domain Query

If Cyberoam is able to connect to the Active Directory, click Add to enter Domain name

(4)

4

Enter Domain name (FQDN Domain Name)

Click Add and enter Search DN. Check the steps provided in section „Determine NETBIOS Name, FQDN and Search DN‟ to find the Search DN.

Click OK to save the query.

(5)

Click Save to save the Domain details

Step 5: Test Active Directory integration

Go to Help>Downloads and click HTTP to open the HTTP client login page.

Specify username and password

(6)

6

Username will be displayed on User>Manage Live Users page if user is able to log on to Cyberoam successfully.

This completes the AD configuration.

Import AD Groups

If you have deployed v 9.5.3 build 14 or above, import AD groups into Cyberoam using Import Wizard before configuring for single sign on.

(7)

Clientless Single Sign on Implementation

Transparent Authentication (Clientless Single Sign on)

Cyberoam introduces Clientless Single Sign On as a Cyberoam Transparent Authentication Suite (CTAS).

With Single Sign On authentication, user automatically logs on to the Cyberoam when logs on to Windows through his windows username and password. Hence, eliminating the need of multiple logins and username & passwords.

But, Clientless Single Sign On not only eliminates the need to remember multiple passwords – Windows and Cyberoam, it also eliminates the installation of SSO clients on each workstation.

Hence, delivering high ease-of-use to end-users, higher levels of security in addition to lowering operational costs involved in client installation.

Cyberoam Transparent Authentication Suite (CTAS) CTA Suite consists of

CTA Agent – It monitors user authentication request coming on the domain controller and sends information to the Collector for Cyberoam authentication.

CTA Collector – It collects the user authentication request from multiple agents, processes the request and sends to Cyberoam for authentication.

How does Cyberoam CTA Agent work?

User Authentication Information Collection Process

1. User tries to log on to the Active Directory Domain Controller from any workstation in LAN.

Domain Controller tries to authenticate user credentials.

2. This authentication process is captured and communicated to CTA Collector over default port 5566 by CTA Agent real time.

3. CTA Collector registers user in the Local database and communicates user information to Cyberoam over the default port 6060

4. Cyberoam queries Active Directory to determine user‟s group membership and registers user in Cyberoam database

Based on data from CTA Agent, Cyberoam queries AD server to determine group membership and based on which access is granted or denied. Users logged into a workstation directly i.e.

locally but not logged into the domain will not be authenticated and are considered as

“Unauthenticated” or “Guest” user. For users that are not logged into the domain, the HTTP Login screen prompting for a manual login will be displayed for further authentication.

(8)

8

Check for “Cyberoam Transparent Authentication Suite” tab from “Start” > “All Programs”.

If installed successfully, “Cyberoam Transparent Authentication Suite” tab will be added.

Consider the below given hypothetical network example where single domain controller is

configured and follow the below given steps to configure Cyberoam Transparent Authentication:

(9)

Step 7: Configure CTA Collector from CTA Collector Tab on Primary Domain Controller

(10)

10

(11)
(12)

12

Step 9: Configure Cyberoam

Logon to CLI Console with default password, go to Option 4 Cyberoam Console and execute following command at the prompt:

corporate>cyberoam cta enable

corporate>cyberoam cta collector add collector-ip <ipaddress> collector-port<port number>

Please make sure that you restart management services after enabling the CTA services.

(13)

Step 10: Enable Security Event logging on Active Directory

This completes the configuration.

(14)

14

Document Version: 2.0-15/07/2011

References

Download now ( PDF - 14 Page - 887.41 KB )

Related documents

ECL-1

Language his understanding makes a him good studenta. His understanding language good student a

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Windows AD Server FortiAuthenticator Server LDAP, RADIUS, or TACACS+ Server Local Users FortiGate Local User Database Mobile Mobile User Group User Group Home

Remote Authentication and Single Sign-on Support in Tk20

however, in case of remote authentication since we do not have complete authentication information clicking on a survey email link will redirect the page to Campustools highered

Examination of existing facilities management approaches to climate change and future directions

Every Statsbygg project shall establish a contact group with representatives from the owner (department), users and Statsbygg to support the involvement of the users. To

Blurring the distinction between empirical and normative legitimacy? A methodological commentary on ‘police legitimacy and citizen cooperation in China’

You want to test a measurement model that (a) operationalises legitimacy as a general belief that the police are morally entitled to dictate appropriate behaviour (i.e. as obligation

Luminis to Banner Single Sign-On

SunGard, the SunGard logo, Banner, Campus Pipeline, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries

Authentication and Single Sign On

The next time the user logs in with the same password, Fronter does not need to contact the IMAP server. This can be useful since many organisations have IMAP servers in place

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

Active Directory Single Sign-On service is an authentication method which allows users to authenticate only once when logging into a Windows Active Directory domain.. When a user